Weekly Podcast: 2015 end-of-year round-up part two

Part two of last week’s podcast is now available. Rather than covering the events of the past week, we take a look back at the major information security events of 2015. A transcript of the podcast is available below.

Hi there; nice to be with you… happy you could stick around. Welcome to the second part of the special festive edition of the IT Governance podcast, in which we discuss the year in cyber security. This time: July to December 2015. Shall we?

July

In July, Hacking Team – the controversial Italian cyber security company that provides surveillance software to law enforcement agencies and governments around the world – was hacked. 400 GB of documents were posted online via the company’s Twitter account, which was renamed “Hacked Team” by the perpetrators. The documents include source code, employee passwords, and internal documents and email archives that apparently revealed the identity of some of the company’s clients – some of which are oppressive regimes.

Hookup site Ashely Madison (slogan: “Life is short. Have an affair”) was attacked by a group calling itself the Impact Team. A 9.7GB data dump was posted on the dark web, featuring the personal information of 32 million account holders – including their login details, transaction details, names, home addresses and email addresses, and the amount they paid.

95% of Android phones – some 950 million devices – were found to be vulnerable to attack thanks to flaws in Android’s Stagefright code, which controls media playback. It was reported that all an attacker needed to do to gain control of a device is send a multimedia message embedded with malware.

Security researchers Charlie Miller and Chris Valesek – both of whom are now employed by Uber – revealed that they could remotely hack a Jeep Cherokee via a vulnerability in its Uconnect on-board computer, forcing Fiat Chrysler to recall 1.4 million potentially affected vehicles.

And Adobe issued security patches to address 39 vulnerabilities in Flash Player. Mozilla began blocking all versions of Flash Player in Firefox and Facebook’s chief security officer Alex Stamos said on Twitter that it was time for Adobe to announce an end-of-life date for Flash.

August

In August, the personal data of 2.4 million Dixons Carphone customers was affected by a data breach. The data included customers’ names, addresses, dates of birth, email addresses and bank details, as well as the encrypted credit card details of 90,000 people.

The personal details of 458 customers of holiday company Thomson were compromised in a data breach when an email containing the information was mistakenly sent on 15 August. Holidaymakers’ details included names, addresses, email addresses, telephone numbers and flight details.

Popular parenting forum Mumsnet was hit by a spate of attacks. Servers were crashed by distributed denial-of-service attacks, some accounts were compromised – apparently by phishing attacks – and Mumsnet founder Justine Roberts was the victim of a so-called swatting attack, when armed police were called to her home by a hoaxer claiming criminal activity was taking place. All Mumsnet users were advised to change their passwords.

US officials admitted that a Russian cyber attack against the Pentagon’s Joint Staff unclassified email system caused the system to be shut down for more than a fortnight, affecting “some 4,000 military and civilian personnel who work for the Joint Chiefs of Staff.” The intrusion occurred around July 25, and “relied on some kind of automated system” to gather “massive amounts of data”. Officials commented that the attack “was clearly the work of a state actor”. No classified information was compromised.

In September, London’s 56 Dean Street clinic – one of Europe’s busiest sexual health clinics – apologised after mistakenly revealing the names and addresses of 780 patients with HIV in an email. Recipients of a newsletter were supposed to be blind-copied, but whoever sent it mistakenly copied email addresses into the “To:” field rather than “BCC:”, with the result that every recipient could see everyone else’s names and email addresses. The Guardian reported that the employee responsible was “distraught” at their error.

The WhatsApp Web app – the web-based extension of the popular instant messaging phone app – was found to contain several vulnerabilities that could trick victims into executing malware on their machines. More than 200 million people were potentially affected.

In the US, Comcast agreed to pay a fine of $33 million after a data breach in which 75,000 customers had their personal details published online despite having paid to keep it private.

More than 4,000 iOS apps in Apple’s App Store were found to be affected by the XcodeGhost malware after developers, frustrated at slow download speeds behind the so-called Great Firewall of China, downloaded an unofficial and, alas, trojanised copy of Apple’s Xcode app development tool. XcodeGhost was estimated to potentially affect more than 500 million iOS users, mostly in the Asia-Pacific region.

The personal information of thousands of Lloyds Bank Premier account holders was lost when a Royal Sun Alliance data storage device went missing. RSA provided emergency cover to Lloyds Premier customers as standard.

In October, the UK’s biggest NHS-approved online pharmacy, Pharmacy2U, was fined £130,000 by the Information Commissioner’s Office for breaching the Data Protection Act by selling the details of more than 20,000 customers via an online marketing company. Information offered for sale by Phramacy2U included records of “people suffering from ailments such as asthma, Parkinson’s disease and erectile dysfunction. Breakdowns of customers, such as men over 70 years old, were available, and records were advertised for sale for £130 per 1000”.

TalkTalk’s website was subjected to a sustained cyber attack in which criminals potentially accessed up to four million customers’ names, addresses, dates of birth, email addresses, telephone numbers, TalkTalk account information, and credit card and bank details. TalkTalk chief exec Dido Harding received a ransom demand from someone claiming to be the hacker responsible. The incident was later estimated to have cost the company £35 million.

Safe Harbor, the 15-year-old data transfer pact between the US and the EU allowing the personal information of EU citizens to be transferred to the US without abiding by the strictures of European data protection legislation, was declared invalid by the European Court of Justice in a landmark ruling. The court’s decision was the result of a legal challenge brought against Facebook by Max Schrems, an Austrian privacy campaigner who, in the wake of the Snowden disclosures, was concerned about the social network’s potential sharing of Europeans’ personal data with the NSA.

Swiss encrypted email provider ProtonMail was hit by a powerful series of distributed denial-of-service attacks in November, which knocked it and a number of other services offline. ProtonMail points out that the attacks continue, but it has strengthened its defences and is now protected against DDoS attacks.

Hotel chain Hilton Worldwide confirmed that its point-of-sale systems were hit by malware that collected customer payment card data over a 17-week period in November and December last year, and from April to July this year.

Personalised postcard-making app Touchnote was also hacked. The app, which allows users to send their digital photos to friends as physical cards told registered users that their names, emails addresses and order histories – including recipients’ details – had been accessed. Credit card details were not.

In the largest incident of the year – at least in terms of the number of potential victims – children’s toy manufacturer VTech suffered a data breach when criminal hackers attacked its servers. The personal data of 4,833,678 parents – including their “names, email addresses, passwords, and home addresses” – was exposed, as were “the first names, genders and birthdays of 6,368,509 children.

In early December it emerged that the personal details of 656,723 customers of high-street pub chain JD Wetherspoon – including their names, dates of birth, email addresses and telephone numbers – were stolen by criminals in June when a customer database related to an old website was hacked. For 100 customers who purchased vouchers online before August 2014, limited credit and/or debit card information was also stolen.

MacKeeper – the controversial utility software supposedly designed to improve Macs’ performance, but widely condemned for doing exactly the opposite, was found to have exposed the personal data of 13 million customers by storing them unencrypted on easily accessible servers. Kromtech, MacKeeper’s parent company, advised that the vulnerability had been addressed.

And Adobe issued security patches to address 79 vulnerabilities in Flash Player. By my estimation, that number brings the total of unique Flash vulnerabilities addressed by Adobe in 2015 to… 311. Father Christmas will send you the CVE numbers if you’ve been naughty.

Well, that’s it for this week – and this year. For those of you who have been listening, thank you for doing so. If you tire of family films, arguments about board games or gluttonous excess over the festive period, you’ll find the latest information security stories – and more – on our blog.

And remember: whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk. Merry Christmas. We’ll be back in 2016.